Shulou(Shulou.com)06/02 Report--

I. Overview of logs

1. Introduction to rsyslog

Syslog is a log collection storage system, which is responsible for recording the log information of kernels and programs that comply with this service. The general record is: "date and time, host, process: event". Syslog can not only record the local system log, but also record the program log information of the remote host through tcp, udp protocol.

Syslog: Syslog, a service with two processes

Syslogd: record application-related logs

Klogd: record kernel-related logs

Rsyslog: an upgraded version of syslog, which uses multithreading to record local or remote logs concurrently. It supports storing log information in MySQL,PGSQL, Oracle and other RDBMS. At the same time, it has a powerful filter function, which can filter any content in the log.

Rsyslog is the logging system used by systems after CentOS 6, and has the following advantages over the previous syslog logging system:

Support for multithreading

Supports TCP, SSL, TLS, RELP and other protocols

Powerful filter to filter any part of the log information

Support for custom output formats

Suitable for enterprise-level logging requirements

Modularization

Record format of the log:

Date time host process [pid]: event content

2. Some concepts of rsyslog

The application on the system specifies a certain channel to record the log, and the channel has set the recording level of the log by default. Once the application generates log information, the log file will be recorded in the specified local file, database or remote rsyslog server through this channel.

Of course, the log output of the application is generally divided by level. For example, the log output with channel authpriv and level info is defined in sshd_conf:

# Logging-SyslogFacility AUTHPRIV-# LogLevel INFO

3. Facility and priority supported by rsyslog

Facility: facilities, channels

Logs are classified in terms of function or program, and special tools are responsible for recording their logs.

Commonly used facility:

Lpr: print related logs

Auth: authentication-related logs

User: user-related logs

Cron: logs related to scheduled tasks

Kern: kernel-related logs

Mail: Mail-related logs

Mark: marking related logs

News: news-related logs

Uucp: log related to file copy

Daemon: logs related to system services

Authpri: log related to authorization

Security: security-related logs

Syslog: the log information generated by the syslogd service. Although the service name has been changed to rsyslogd, many configurations still use syslogd. The service name has not been changed here.

Local0-local7: customize related log information (you can use wildcards when customizing)

Priority: level debug # with modal information, log information with the most info # general information log, most commonly used notice # general condition information warning, warn # warning level err, error # error level, information preventing a function or module from not working properly crit # severity level Information that prevents the whole system or software from not working properly alert # Information that needs to be modified immediately emerg, panic # Kernel crash and other serious information # from top to bottom, from low to high level, less and less information is recorded. If you set the log internality to err, the log will not record a log lower than the err level.

II. Rsyslog configuration

1. Program environment

Package: rsyslog

Configuration file: / etc/rsyslog.conf, / etc/rsyslog.d/*.conf

Main program: / usr/sbin/rsyslogd

Module path: / lib64/rsyslog/

Unit File:/usr/lib/systemd/system/rsyslog.service

2. Detailed explanation of configuration file / etc/rsyslog.conf format

It is composed of three parts, and the configuration must be added strictly according to the location of the configuration section.

1234 [root@centos6.8~] # grep "#" / etc/rsyslog.conf#### MODULES # GLOBAL DIRECTIVES # RULES #

MODULES: define the loaded module. For example, if you use mysql module to log, you need to configure it here.

GLOBAL DIRECTIVES: defines the global environment

RULES: defines the logging facilities, levels and other information

The format of the definition rule is:

Facility.priority Target

Wildcards that can be used by facility:

*: all

,: a list, such as F1, f2, f3.

!: reverse

Wildcards that can be used by priority:

*: all log levels

None: there is no level, that is, no log information

Target: destination, which refers to the location where the log is saved

The following can be used:

Files, such as / var/log/messages

User: * represents all users who are currently logged into the system

Log server: @ host # # host: you must listen to provide services on port 514 of tcp or udp protocol

Pipeline: | COMMAND

For example:

Mail.info / var/log/maillog

Indicates that all the information above the info log level generated by mail is recorded in the / var/log/maillog file

Mail.=info indicates that only info level logs are recorded.

Mail.log info means to record logs at levels below info

* .info indicates the info level of all facilities

Mail,news.info indicates that both mail and news use the info level

Some log records in binary format: / var/log/wtmp,/var/log/btmp

/ var/log/wtmp: log of successful login on the current system; last

/ var/log/btmp: failed login attempt on the current system; lastb

Lastlog command: displays the most recent login time for each user in the current system

3. Configuration file / etc/rsyslog.conf detailed explanation

123456789101112131415161718192021223242526 MODULES log module # $ModLoad imuxsock # imuxsock is the module name, module that supports local system logs $ModLoad imklog # imklog is the module name, module # $ModLoad immark # immark that supports kernel logs is the module name, support log tag # $ModLoad imudp # imupd is the module name, support udp protocol # $UDPServerRun 514 # allows port 514 to receive logs forwarded using UDP and TCP protocols # $ModLoad imtcp # imtcp is the module name Support tcp protocol # $InputTCPServerRun 514 log format # GLOBAL DIRECTIVES # directive $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # define the default template for the log format $IncludeConfig / etc/rsyslog.d/*.conf # load all files ending in conf in the rsyslog.d file # RULES #. Info Mail.none;authpriv.none Cron.none / var/log/messages# logs info levels of all log types and information greater than info level to / var/log/messages, but mail mail messages Authpriv verification information and cron time # task related information except authpriv.* / var/log/secure#authpriv verification related information is stored in / var/log/securemail.*-/ var/log/maillog# mail all information is stored in / var/log/maillog There is a-symbol indicating that the log is recorded asynchronously, because the log is generally larger than cron.* / var/log/cron####. The information related to the scheduled task is stored in / var/log/cron*.emerg * (* for all users) # records all information greater than or equal to the emerg level, which is sent to uucp by wall to everyone who logs in to the system. News.crit / var/log/spooler#### records all logs such as uucp,news.crit stored in / var/log/spoolerlocal7.* / var/log/boot.log#### local server startup are stored in / var/log/boot.log

Third, configure to store log information based on mysql and analyze logs with front-end loganalyzer tools

1. Configure that rsyslog logs are stored in mysql

(1) prepare the MySQL server, create users, and authorize full access to the Syslog database

Mysql > grant all on Syslog.* to 'syslog'@'192.168.137.%' identified by' 123456'

(2) install rsyslog-mysql package on rsyslog service

Yum install-y rsyslog-mysql

(3) create a database that rsyslog-mysql depends on

Rpm-ql rsyslog-mysql

/ lib64/rsyslog/ommysql.so

/ usr/share/doc/rsyslog-mysql-5.8.10

/ usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql # # location of the library creation script

# yum install mysql-y # # rsyslog server installs mysql client

# mysql-usyslog-p123456-h292.168.137.130-default-character-set=utf8

< /usr/share/doc/rsyslog-mysql-5.8.10/createDB.sql mysql>

Use Syslog

Database changed

Mysql > show tables

+-- +

| | Tables_in_Syslog |

+-- +

| | SystemEvents |

| | SystemEventsProperties |

(4) configure rsyslog to use ommysql module

Vim / etc/rsyslog.conf

# MODULES #

$ModLoad ommysql

# RULES #

* .info;mail.none;authpriv.none;cron.none: ommysql:192.168.137.130,Syslog,syslog,123456

Restart the rsyslog service: service rsyslog restart

(5) Test log recording

Rsyslog server: yum remove lrzsz

Mysql > select * from SystemEvents\ G

2. Install loganalyzer (rsyslog dedicated front-end display tool)

(1) prepare the environment. Loganalyzer is a web page developed for php programs.

Yum install-y httpd php php-mysql php-gd (mysql mysql-server rsyslog-mysql was previously installed)

Test whether httpd can work properly and work through php

[root@master ~] # cd / var/www/html/

[root@master html] # vim index.php

Hello word!

My Blog is "http://guopeng7216.blog.51cto.com/"

Test the combination of php and mysql

[root@localhost html] # cat index.php

(2) download loganalyzer and install it

Http://pan.baidu.com/s/1nvsN5rz

~] # tar xf loganalyzer-3.6.4.tar.gz

~] # cd loganalyzer-3.6.4

Loganalyzer-3.6.4] # cp-r src / var/www/html/loganalyzer

Loganalyzer-3.6.4] # cp contrib/*.sh / var/www/html/loganalyzer/

Loganalyzer-3.6.4] # cd / var/www/html/loganalyzer/

Loganalyzer] # chmod uplix * .sh

Loganalyzer] #. / configure.sh

Loganalyzer] #. / secure.sh

Loganalyzer] # chown-R apache:apache. / *

To modify the configuration file rsyslog.conf of rsyslog, you only need to open two modules and allow acceptance messages to be sent through tcp,udp, and the setting information is saved to the Syslog of the mysql database.

# Provides UDP syslog reception

$ModLoad imudp

$UDPServerRun 514

# Provides TCP syslog reception

$ModLoad imtcp

$InputTCPServerRun 514

The log data is stored in the database and all others are commented out.

*. *: ommysql:192.168.137.150,Syslog,syslog,123456

Install loganalyzer:

Http://192.168.137.150/loganalyzer/install.php

Test the loganalyzer log system and connect to 192.168.137.150 on the local computer through ssh

[root@centos-7 loganalyzer] # ssh 192.168.137.150

Root@192.168.137.150's password:

Last login: Thu May 11 19:37:06 2017 from centos-7

Reconfigure loganalyzer:

Loganalyzer] # rm-f config.php

Loganalyzer] #. / configure.sh

Loganalyzer] #. / secure.sh

Loganalyzer] # chmod 666 config.php

Http://192.168.137.150/loganalyzer/install.php

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.